Skip to content

Harden Release Drafter workflow#423

Merged
amishas157 merged 2 commits intorelease-v20260512from
fix/release-workflow-hardening
May 6, 2026
Merged

Harden Release Drafter workflow#423
amishas157 merged 2 commits intorelease-v20260512from
fix/release-workflow-hardening

Conversation

@amishas157
Copy link
Copy Markdown
Contributor

@amishas157 amishas157 commented May 6, 2026

Summary

Migrate the deprecated ::set-output workflow command to $GITHUB_OUTPUT, and pass branch / version values through env: rather than re-interpolating them into bash. This:

  • Removes the script-injection surface from PR-controlled values flowing into run: blocks (matches GitHub's Actions hardening guide).
  • Unblocks future runner-image upgrades that drop ::set-output support.

Behavior is unchanged — the workflow still produces the same BRANCH, TAG, and NEXT_VERSION step outputs and uses them in the same downstream steps.

Impact today is limited (workflow only runs on merged PRs from upstream branches), but the fix is mechanical defense-in-depth.

Test plan

  • After merge, the next merged PR triggers Release Drafter and tags + publishes a release as before.

chowbao and others added 2 commits May 6, 2026 11:34
@chowbao
Bump go-stellar-xdr-json to 20260505215811-c00a3e0c10e6 (#422)
422a478
@amishas157
Harden Release Drafter workflow
1a7dd42 
Migrate the deprecated ::set-output workflow command to $GITHUB_OUTPUT,
and pass branch name / version values through env: rather than
re-interpolating them into bash. Closes a script-injection class on the
release path and unblocks future runner-image upgrades that drop
::set-output support.

Follows GitHub's Actions security hardening guidance for handling
untrusted context in run blocks.
Copilot AI review requested due to automatic review settings May 6, 2026 16:50
@amishas157 amishas157 requested a review from a team as a code owner May 6, 2026 16:50
Copilot AI reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the Release Drafter GitHub Actions workflow by replacing the deprecated ::set-output command with $GITHUB_OUTPUT and reducing interpolation of PR-controlled values inside run: blocks, aligning with GitHub Actions security hardening guidance while preserving existing behavior.

Changes:

  • Migrates step outputs (BRANCH, TAG, NEXT_VERSION) from ::set-output to $GITHUB_OUTPUT.
  • Passes BRANCH_NAME, CURRENT_VERSION, and NEXT_VERSION through env: to avoid re-interpolating expressions into shell scripts.
  • Adds quoting in branch-pattern checks and tag creation/push commands for safer shell execution.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@amishas157 amishas157 changed the base branch from master to release-v20260512 May 6, 2026 17:13
hunterpack
hunterpack approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@hunterpack hunterpack left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@amishas157 amishas157 merged commit 3f65971 into release-v20260512 May 6, 2026
12 checks passed
@amishas157 amishas157 deleted the fix/release-workflow-hardening branch May 6, 2026 19:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@hunterpack hunterpack hunterpack approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@amishas157 @hunterpack @chowbao